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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 

1. (Previously Presented) A method comprising: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, each embedded agent to 
store the symmetric cryptographic key in a storage accessible to the embedded agent and not 
directly accessible to a host processor on the client; and 

providing access to an encrypted traffic flow in a network to one of the clients if the 
one of the clients is authenticated with the key, the providing including 

the one of the clients receiving a message requesting a secure connection for 
the encrypted traffic flow, 

prior to any allowing of the requested secure connection, the embedded agent 
of the one of the clients verifying that a platform of the one of the clients is not in a 
compromised state at a time before providing access to the encrypted traffic flow, and 

in response to the message requesting the secure connection and the verifying, 
the embedded agent of the one of the clients providing the key and an assertion that 
the one of the clients is not compromised to a verification entity on the network. 

2. (Previously Presented) A method according to claim 1, wherein provisioning 
the key through the embedded agents further comprises provisioning the key through an 
embedded agent having network access via a network link not visible to a host operating 
system (OS) running on the one of the clients. 
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3. (Previously Presented) A method according to claim 2, wherein providing 
access to the traffic flow if the one of the clients is authenticated comprises the embedded 
agent authenticating the one of the clients over the network line not visible to the host OS. 

4. (Original) A method according to claim 1, wherein providing access to the traffic 
flow further comprises providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

5. (Previously Presented) A method according to claim 1 , further comprising 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated with the 
client. 

6. (Canceled). 

7. (Previously Presented) A method according to claim 1 , further comprising the 
embedded agent indicating to a remote network device if the one of the clients is 
compromised. 

8. (Previously Presented) A method according to claim 1 , further comprising the 
embedded agent foreclosing network access to the one of the clients if the one of the clients 
is compromised. 

9. (Original) A method according to claim 1, further comprising the embedded 
agent performing cryptographic functions on data with the key to authenticate data with the 
key. 
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10. (Original) A method according to claim 1, further comprising the embedded 
agent including a derivative of the key in a header of data to be transmitted to authenticate 
the data with the key. 

1 1 . (Previously Presented) An apparatus comprising: 

a host platform on the apparatus including a host processor; 

a secure memory not visible to applications and an operating system (OS) running on 
the host platform; and 

an embedded computational device communicatively coupled with the host platform, 
the embedded device to have a network link transparent to the host processor and the OS, the 
embedded device to manage a cryptographic key shared among the apparatus and network 
endpoints to be used to communicate with a server over the network, to receive the 
cryptographic key on the transparent link and authenticate the apparatus, and to store the 
cryptographic key in the secure memory, the embedded computational device further to 
receive a request for a secure connection providing access to an encrypted traffic flow in the 
network, the embedded computational device further to verify, prior to any allowing of the 
requested secure connection, that the host platform is not in a compromised state at a time 
before providing access to the encrypted traffic flow, and in response to the request for the 
secure connection and the verifying, the embedded computational device further to provide 
the cryptographic key and an assertion that the apparatus is not compromised to a verification 
entity on the network. 

12. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have transparent network link comprises the embedded device to have a network connection 
not accessible by the host platform, the link to comply with the transport layer security (TLS) 
protocol. 
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13. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have a transparent network link comprises the embedded device to have a network 
connection not accessible by the host platform, the link to comply with the secure sockets 
layer (SSL) protocol. 

14. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to verify the identity of the 
apparatus to a network switching device with the key, the key to also be used by the network 
endpoints to verify their respective identities to the network switching device, and the 
network switching device to decrypt encrypted traffic from the apparatus and the network 
endpoints. 

1 5 . (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to hash traffic to be transmitted 
with the key. 

16. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to perform cryptographic services 
with the key on traffic to be transmitted. 

17. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to include a derivative of the key 
in a header of traffic to be transmitted. 

18. (Original) An apparatus according to claim 11, further comprising a second 
embedded computational device, the second embedded device integrated on the host 
platform, to verify the security of the host platform. 
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19. (Previously Presented) An apparatus according to claim 18, wherein the first 
embedded device to not authenticate the apparatus if the second embedded device determines 
the host platform is not secure. 

20. (Original) An apparatus according to claim 1 8, further comprising a bi- 
directional private bus between the first and second embedded devices. 

2 1 . (Original) An apparatus according to claim 1 1 , further comprising a counter 
mode hardware cryptographical module on the host platform to encipher traffic with the 
cryptographic key and further provide a counter mode enciphering of the enciphered traffic. 

22. (Previously Presented) A system comprising: 
a host platform including a host processor; 

a digital signal processor (DSP) coupled with the host platform; and 

an embedded chipset including a secure key storage module to perform cryptographic 
key management of a shared cryptographic key with the secure key storage module and a 
private communication channel accessible to the chipset and not the host platform, and to 
access an image of the host platform on a flash accessible to the DSP and not to the host 
processor to determine the integrity of the host platform, the shared cryptographic key to be 
used by the host platform to encipher data and other networked devices within a virtual 
private network, wherein the embedded chipset to receive a request for a secure connection 
providing access to an encrypted traffic flow in the virtual private network, the embedded 
chipset further to verify, prior to any allowing of the requested secure connection, that the 
host platform is not in a compromised state at a time before providing access to the encrypted 
traffic flow, and in response to the request for the secure connection and the verifying, the 
embedded chipset further to provide the cryptographic key and an assertion that the apparatus 
is not compromised to a verification entity on the virtual private network. 
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23. (Original) A system according to claim 22, wherein the embedded chipset to 
perform cryptographic key distribution with the private communication channel comprises 
the embedded chipset to perform cryptographic key distribution with a communication 
channel complying with the transport layer security (TLS) protocol. 

24. (Previously Presented) A system according to claim 22, wherein the embedded 
chipset comprises an embedded controller agent and an embedded firmware agent, the 
firmware agent to perform the verification that the host platform is not in the compromised 
state, and the controller agent to operate the private communication channel and manage 
access by the host platform to secure network connections. 

25. (Previously Presented) A system according to claim 24, further comprising a 
bi-directional private communication path between the embedded controller agent and the 
embedded firmware agent to allow the agents to interoperate outside a context of the host 
platform. 

26. (Original) A system according to claim 22, further comprising the embedded 
chipset to hash traffic to be transmitted with the key to authenticate the system to one of the 
other networked devices. 

27. (Original) A system according to claim 22, further comprising the embedded 
chipset to perform cryptographic services with the key on traffic to be transmitted to 
authenticate the system to one of the other networked devices. 
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28. (Original) A system according to claim 22, further comprising the embedded 
chipset to include a derivative of the key in a header of traffic to be transmitted to 
authenticate the system to one of the other networked devices. 



machine accessible medium having content stored thereon to provide instructions to cause a 
machine to perform operations including: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, each embedded agent to 
store the symmetric cryptographic key in a storage accessible to the embedded agent and not 
directly accessible to a host processor on the client; and 

providing access to an encrypted traffic flow in a network to one of the clients if the 
one of the clients is authenticated with the key, the providing including 

the one of the clients receiving a message requesting a secure connection for 
the encrypted traffic flow, 

prior to any allowing of the requested secure connection, the embedded agent 
of the one of the clients verifying that a platform of the one of the clients is not in a 
compromised state at a time before providing access to the encrypted traffic flow, and 

in response to the message requesting the secure connection and the verifying, 
the embedded agent of the one of the clients providing the key and an assertion that 
the one of the clients is not compromised to a verification entity on the network. 

30. (Previously Presented) An article of manufacture according to claim 29, 

wherein the content to provide instruction to cause the machine to perform operations 
including provisioning the key through the embedded agents further comprises the content to 
provide instruction to cause the machine to perform operations including provisioning the 
key through an embedded agent having network access via a network link not visible to a 
host operating system (OS) running on the one of the clients. 



29. (Previously Presented) 



An article of manufacture comprising a tangible 
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3 1 . (Previously Presented) An article of manufacture according to claim 30, 
wherein the content to provide instruction to cause the machine to perform operations 
including providing access to the traffic flow if the one of the clients is authenticated 
comprises the content to provide instruction to cause the machine to perform operations 
including authenticating the one of the clients with the embedded agent over the network line 
not visible to the host OS. 

32. (Original) An article of manufacture according to claim 29, wherein the content 
to provide instruction to cause the machine to perform operations including providing access 
to the traffic flow further comprises the content to provide instruction to cause the machine to 
perform operations including providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

33. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated the client. 

34. (Canceled). 

35. (Previously Presented) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including indicating with the embedded agent to a remote network device if the one of the 
clients is compromised. 
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36. (Previously Presented) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including foreclosing with the embedded agent network access to the one of the clients if the 
one of the clients is compromised. 

37. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
performing cryptographic functions on data with the key to authenticate data with the key. 

38. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
placing a derivative of the key in a header of data to be transmitted to authenticate the data 
with the key. 
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